General
-
Target
BlockTheSpot-master.zip
-
Size
388KB
-
Sample
240520-cdme5aec78
-
MD5
8cfb954c488f2b63156fb9a4a52020d6
-
SHA1
786cf7adf8bdae4cb54ce17a84eccd5aa9aabde0
-
SHA256
0fd57864cb820027ecddf4395633514ea6472f775cce6be99c95007b7410e1af
-
SHA512
08e3ef3a5bbaadbd344d46e066f767043b8dc279aa1177b3036bd4a27f9bf94913925baebc90e5ad4eab6ef9aa4471efa23d61aa4f7e143f409dd5ec30a50b20
-
SSDEEP
6144:ML7/9lE/6ACwBQSKORf2PzdJ2ehbPuew+Aalb6qNKCF0eZR3Xc/:kxa/6AlQSKnhw4c+3lb2CzfXM
Behavioral task
behavioral1
Sample
BlockTheSpot-master/downgrade.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BlockTheSpot-master/downgrade.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
BlockTheSpot-master/install.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
BlockTheSpot-master/install.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
BlockTheSpot-master/netutils.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
BlockTheSpot-master/netutils.dll
Resource
win10v2004-20240426-en
Malware Config
Extracted
http://upgrade.spotify.com/upgrade/client/win32-x86/spotify_installer-1.1.4.197.g92d52c4f-13.exe
Targets
-
-
Target
BlockTheSpot-master/downgrade.bat
-
Size
359KB
-
MD5
e1c1b01bc33b17f01a3bdd84cceb459f
-
SHA1
1d1bdf948117c05b745ea3a3a137cda065939eaf
-
SHA256
e5ac829a0e6c75478d868d925663b1db9aa7d0e316ac53634766ef33c8f763c2
-
SHA512
e4690bbcc9a9bba03bd8f8d7dd8e68e796399208d9923043dedfd636bffc5a30992b646f9b780c89e71ab2906d05d2294b525cffabab663e60d5456ce7ec9c27
-
SSDEEP
3072:AvNBQ2hMg0RIG1h8avP4hlttvNlsfSPrbrXqUpwo2mdMQhJxAdOzERy3redp9OB5:AvU290mOghlt7lsKzbrFguPt1
-
Detect Lumma Stealer payload V4
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
-
-
Target
BlockTheSpot-master/install.bat
-
Size
358KB
-
MD5
2080fc685222b511643d34d9b1c7f8cb
-
SHA1
b11c4e930560c9f18501ad6fe2aff522328a6ecc
-
SHA256
ed08d3ed985d243d4c9c7924cf8766e090da631afca621fe5a7ca0a9c1936505
-
SHA512
7e09fd478ff3e8cb2b0be9affddc86fbc44d311bc7dc9c378b5cfadd302ba64361f7db35f86cc6fccad5dfe12f4914b90376a235c56461dc3d96900bad7825f2
-
SSDEEP
3072:kvNBQ2hMg0RIG1h8avP4hlttvNlsfSPrbrXqUpwo2mdMQhJxAdOzERy3redp9OB5:kvU290mOghlt7lsKzbrFguPt1
Score1/10 -
-
-
Target
BlockTheSpot-master/netutils.dll
-
Size
357KB
-
MD5
301efd794940d799a9b67575ddf9e414
-
SHA1
175465fc68f8b3e419342eeeb2b478c6649513a4
-
SHA256
f1f024d75051dc703e7f176647d10c73a3f3e936d2f336b0083fab4511d62401
-
SHA512
b662b367c7af9af7aa1043256438625c57962d12b8b2b711363ec172f556b445b399a51e10afbb463156b6f6dc9e3a58602c4848ac68b4552a091f47c055599c
-
SSDEEP
3072:ovNBQ2hMg0RIG1h8avP4hlttvNlsfSPrbrXqUpwo2mdMQhJxAdOzERy3redp9OB5:ovU290mOghlt7lsKzbrFguPt1
Score3/10 -
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2